anomaly vs signature
|
View:
New views
6 Messages
—
Rating Filter:
Alert me
|
 |
anomaly vs signature
by miaomitiff119
::
Rate this Message:
Recently I was given a task to survey the relative success of Intrusion Signature Detection and Intrusion Anomaly Detection. Does anyone know how to get a complete list of all IDS products?:) From what I know, there are more signature detection systems on the market than the anomaly detection systems...is that true? What about the hybrid of the two?:)
Thank you!!!! |
|
|
Re: anomaly vs signature
by SanjayR-2
::
Rate this Message:
Yes...its true that there are more anomaly based ID systems than the
misuse based. One possible reason may be the rate of FPs for anomaly based systems. If you look at the research perspective, there is a big gap between the research and commercial ID systems. Reason may be research is focusing on Machine learning, data mining algorithms and such algorithms may be expensive specially in the case of IPS (in case of IDS, it should be OK). However, good thing is that, now I hear companies talking about anomaly based detection engine in their products. Therefore, we are going to see some hybrid IDS too.. there is a list of products on Honeynet.. http://www.honeypots.net/ids/products thanks -Sanjay At 04:33 PM 7/26/2006, miaomitiff119 wrote: >Recently I was given a task to survey the relative success of Intrusion >Signature Detection and Intrusion Anomaly Detection. Does anyone know how to >get a complete list of all IDS products?:) From what I know, there are more >signature detection systems on the market than the anomaly detection >systems...is that true? What about the hybrid of the two?:) > >Thank you!!!! >-- >View this message in context: >http://www.nabble.com/anomaly-vs-signature-tf2003214.html#a5501191 >Sent from the IDS (Intrusion Detection System) forum at Nabble.com. > > >------------------------------------------------------------------------ >Test Your IDS > >Is your IDS deployed correctly? >Find out quickly and easily by testing it >with real-world attacks from CORE IMPACT. >Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 >to learn more. >------------------------------------------------------------------------ Sanjay Rawat INTOTO Software (India) Private Limited Homepage: http://sanjay-rawat.tripod.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ |
|
|
Re: anomaly vs signature
by SanjayR-2
::
Rate this Message:
there is a mistake in my previous post...
Please read the first line as "Yes...its true that there are more misuse based ID systems than the anomaly based. " thanks At 11:02 AM 7/28/2006, SanjayR wrote: >Yes...its true that there are more anomaly based ID systems than the >misuse based. One possible reason may be the rate of FPs for anomaly >based systems. If you look at the research perspective, there is a >big gap between the research and commercial ID systems. Reason may >be research is focusing on Machine learning, data mining algorithms >and such algorithms may be expensive specially in the case of IPS >(in case of IDS, it should be OK). However, good thing is that, now >I hear companies talking about anomaly based detection engine in >their products. Therefore, we are going to see some hybrid IDS too.. >there is a list of products on Honeynet.. >http://www.honeypots.net/ids/products > >thanks >-Sanjay > >At 04:33 PM 7/26/2006, miaomitiff119 wrote: > >>Recently I was given a task to survey the relative success of Intrusion >>Signature Detection and Intrusion Anomaly Detection. Does anyone know how to >>get a complete list of all IDS products?:) From what I know, there are more >>signature detection systems on the market than the anomaly detection >>systems...is that true? What about the hybrid of the two?:) >> >>Thank you!!!! >>-- >>View this message in context: >>http://www.nabble.com/anomaly-vs-signature-tf2003214.html#a5501191 >>Sent from the IDS (Intrusion Detection System) forum at Nabble.com. >> >> >>------------------------------------------------------------------------ >>Test Your IDS >> >>Is your IDS deployed correctly? >>Find out quickly and easily by testing it >>with real-world attacks from CORE IMPACT. >>Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 >>to learn more. >>------------------------------------------------------------------------ > >Sanjay Rawat >INTOTO Software (India) Private Limited > Homepage: http://sanjay-rawat.tripod.com > > > > > >------------------------------------------------------------------------ >Test Your IDS > >Is your IDS deployed correctly? >Find out quickly and easily by testing it with real-world attacks >from CORE IMPACT. >Go to >http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 >to learn more. >------------------------------------------------------------------------ > Sanjay Rawat Senior Software Engineer INTOTO Software (India) Private Limited Uma Plaza, Above HSBC Bank, Nagarjuna Hills PunjaGutta,Hyderabad 500082 | India Office: + 91 40 23358927/28 Extn 422 Website : www.intoto.com Homepage: http://sanjay-rawat.tripod.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ |
|
|
Re: anomaly vs signature
by Roland Dobbins
::
Rate this Message:
On Jul 31, 2006, at 8:58 PM, SanjayR wrote: > Please read the first line as "Yes...its true that there are more > misuse based ID systems than the anomaly based. " > thanks > At 11:02 AM 7/28/2006, SanjayR wrote: >> Yes...its true that there are more anomaly based ID systems than >> the misuse based. One possible reason may be the rate of FPs for >> anomaly based systems. If you look at the research perspective, >> there is a big gap between the research and commercial ID systems. >> Reason may be research is focusing on Machine learning, data mining I can't agree with this statement - properly-implemented AD systems don't exhibit false positives at all, the key is whether or non one - cares- about the anomalies one's seeing (and that's where tuning comes in). My operational experience with commercial anomaly- detection systems on production networks over the last 5 years is that they're extremely useful for SP and large enterprise opesec teams in terms of detecting/classifying/tracing back DoS attacks, worm outbreaks, and other forms of network behaviors which may not be deemed security risks in and of themselves, but which are interesting or of possible forensic value (i.e., user kicks off large ftp transfer to a server he's never accessed before, etc.), and I've never seen a false positive during that time. There are several commercial AD systems (both statistical and behavioral) which are quite good; there's also an open-source project called Panoptis, but it's been inactive for a while. ---------------------------------------------------------------------- Roland Dobbins <rdobbins@...> // 408.527.6376 voice Everything has been said. But nobody listens. -- Roger Shattuck ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ |
|
|
Re: anomaly vs signature
by mykii
::
Rate this Message:
Indeed, categorization can be done between anomaly based vs signature based.
that's a traditional approach, a complementary one is white list (everything not recognized is not allowed) or black list (i only stop what i know to be suspicious -signature, protocol anomaly, ...-, the rest is accepted). This second approach is from our point of view less efficient and much more resource consuming. I would like to suggest you test (and give your feedback !) on our beta test product : http://www.binarysec.com which is a web firewall to be installed on an apache server (with linux), it uses an artificial intelligence engine. everything is software (1 Apache module + 1 server). Michael Vergoz ----- Original Message ----- From: "Roland Dobbins" <rdobbins@...> To: <focus-ids@...> Sent: Wednesday, August 02, 2006 5:53 PM Subject: Re: anomaly vs signature > > On Jul 31, 2006, at 8:58 PM, SanjayR wrote: > >> Please read the first line as "Yes...its true that there are more misuse >> based ID systems than the anomaly based. " >> thanks >> At 11:02 AM 7/28/2006, SanjayR wrote: >>> Yes...its true that there are more anomaly based ID systems than the >>> misuse based. One possible reason may be the rate of FPs for anomaly >>> based systems. If you look at the research perspective, there is a big >>> gap between the research and commercial ID systems. Reason may be >>> research is focusing on Machine learning, data mining > > I can't agree with this statement - properly-implemented AD systems don't > exhibit false positives at all, the key is whether or non one - cares- > about the anomalies one's seeing (and that's where tuning comes in). My > operational experience with commercial anomaly- detection systems on > production networks over the last 5 years is that they're extremely > useful for SP and large enterprise opesec teams in terms of > detecting/classifying/tracing back DoS attacks, worm outbreaks, and other > forms of network behaviors which may not be deemed security risks in and > of themselves, but which are interesting or of possible forensic value > (i.e., user kicks off large ftp transfer to a server he's never accessed > before, etc.), and I've never seen a false positive during that time. > > There are several commercial AD systems (both statistical and behavioral) > which are quite good; there's also an open-source project called > Panoptis, but it's been inactive for a while. > > ---------------------------------------------------------------------- > Roland Dobbins <rdobbins@...> // 408.527.6376 voice > > Everything has been said. But nobody listens. > > -- Roger Shattuck > > > > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it with real-world attacks from > CORE IMPACT. > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > to learn more. > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ |
|
|
Re: anomaly vs signature
by Rodrigo Blanco
::
Rate this Message:
Hello,
with such a changing market, any "complete" product list might be obsolete tomorrow... :-) also, bear in mind the different approaches (host/network-based, detection/prevention, ...) but here you go, this is quite a complete one: http://www.honeypots.net/ids/products IMHO, more vendors are still focused on signature systems, rather than anomaly detection. But this should change in the future with more vendors using multiple decision criteria ("hybrid" solutions). A good example of a hybrid technology is McAfee Intrushield (IPS), which combines signature and anomaly detection: https://secure.nai.com/us/enterprise/products/network_intrusion_prevention/index.html Best regards, Rodrigo. On 26/07/06, miaomitiff119 <miaomitiff119@...> wrote: > > Recently I was given a task to survey the relative success of Intrusion > Signature Detection and Intrusion Anomaly Detection. Does anyone know how to > get a complete list of all IDS products?:) From what I know, there are more > signature detection systems on the market than the anomaly detection > systems...is that true? What about the hybrid of the two?:) > > Thank you!!!! > -- > View this message in context: http://www.nabble.com/anomaly-vs-signature-tf2003214.html#a5501191 > Sent from the IDS (Intrusion Detection System) forum at Nabble.com. > > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > to learn more. > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ |
| Free embeddable forum powered by Nabble | Forum Help |
